Liu C. DNS & BIND Cookbook / 5.18 Limiting Concurrent TCP Clients

Computers & Technology
Education & Reference
Business & Investing
Science & Math

DNS & BIND Cookbook
Authors: Liu C.
Published year: 2005
Pages: 114-116/220

Buy this book on amazon.com >>

<< Previous page
Table of contents
Next page >>

5.18 Limiting Concurrent TCP Clients

5.18.1 Problem

You want to limit the number of concurrent TCP clients a name server handles.

5.18.2 Solution

Use the BIND 9 tcp-clients options substatement. For example:

options {
    directory "/var/named";
    tcp-clients 500;
};

The default limit is 100 TCP clients.

5.18.3 Discussion

The limit on TCP clients applies to both discrete TCP queries and TCP zone transfers. A name server probably won't receive many TCP-based queries from resolvers , since nearly all resolvers send UDP-based queries by default. Most zone transfer requests , however, are TCP-based so don't set the limit lower than transfers-out .

Remember that the operating system places a limit on the number of file descriptors available to the named process, and each TCP connection to the name server uses one of these. If you make the tcp-clients limit higher than the OS-imposed limit, it's possible the name server will run out of file descriptors, which it needs for reading and writing zone data files and listening for control messages.

If a name server reaches the limit on TCP clients, it will refuse those TCP-based queries and you'll see messages like this one in its syslog output:

named[579]: client 192.168.0.11#1567: no more TCP clients: quota reached

Check whether the TCP queries the name server is serving are legitimate (e.g., not part of some distributed denial of service attack). If they are, raise the limit to accommodate them.

There's no corresponding substatement in BIND 8.

5.18.4 See Also

Section 5.17, for limiting concurrent zone transfers.

5.19 Limiting Concurrent Recursive Clients

5.19.1 Problem

You want to limit the number of concurrent recursive clients a name server handles.

5.19.2 Solution

Use the BIND 9 recursive-clients options substatement. For example:

options {
    directory "/var/named";
    recursive-clients 500;
};

The default limit is 1,000 recursive clients.

5.19.3 Discussion

With recursive-clients , you can limit the number of recursive queriers a name server will handle concurrently. A name server receives recursive queries both from resolvers and from name servers that use it as a forwarder. Since each recursive query consumes about 20K of memory, the total amount of memory needed to service 1,000 queriers -- the default limit -- is about 20MB. If a name server doesn't have that much real memory available, you may need to set its limit lower.

If a name server reaches this limit, it will refuse further recursive queries and you'll see messages like this one in its syslog output:

named[579]: client 192.168.0.11#1567: no more recursive clients: quota reached

Check whether the recursive clients the name server is serving are legitimate (e.g., not part of some distributed denial of service attack). If they are, and there's sufficient memory available on the host, raise the limit to accommodate them.

There's no corresponding substatement in BIND 8.

5.19.4 See Also

"Resource Limits" in Chapter 10 of DNS and BIND .

5.20 Dynamically Updating a Zone

5.20.1 Problem

You want to dynamically update a zone.

5.20.2 Solution

Use the nsupdate program to send updates to your zone. First, start nsupdate in interactive mode:

$ nsupdate

The basic command in nsupdate 's interactive mode is update . To add a new record, use update add . To delete one or more records, use update delete . update add takes a resource record, including an explicit TTL, as an argument. For example:

> update add host.foo.example. 3600 A 192.168.0.31

You can leave out the class, though; it defaults to IN , for "Internet."

To delete a particular record, specify the record as an argument to update delete :

> update delete foo.example. MX 10 mail.foo.example.

To delete all records of a particular type attached to a domain name, specify the domain name and type as an argument to update delete :

> update delete foo.example. MX

Finally, to delete all records of any type attached to a domain name, specify just the domain name as an argument to update delete :

> update delete host.foo.example.

You can perform more than one add or delete operation at once by specifying multiple update commands, each on its own line, as long as the changes are made to a single zone. Once you're ready to send the update, type:

> send

If you're running a BIND 8 version of nsupdate , just type a blank line:

5.20.3 Discussion

Here's a complete nsupdate session:

$ nsupdate
> update delete www.foo.example. IN A
> update add www.foo.example. 3600 IN A 192.168.0.89
> send

nsupdate can communicate with (and hence update) any name server. It looks up the SOA record of the zone the domain name in the update belongs in and sends the update to the name server listed in the MNAME field. Consequently, you should make sure the MNAME field of each of your zones' SOA records contains the domain name of the real primary master name server for the zone.

Since nsupdate gives you very little feedback, you may find it helpful to run nsupdate with the - d (debug) option. That way, you can see the output from the name server that receives the update.

5.20.4 See Also

nsupdate(8) ; Section 3.11, for how to allow dynamic updates to a zone; Recipes Section 5.21, Section 5.22, and Section 5.23 for variations on sending dynamic updates to a name server; Section 9.10 and Section 9.11, for sending dynamic updates programmatically; and "DNS Dynamic Update" in Chapter 10 of DNS and BIND .